Glieder (aka Bagle, version eightysomething)

Mark my words. This evil worm acts intelligently, like never seen
before. Win32.Glieder (aka Bagle) attacks virusses, and than uses them
for personal purposes. It's like "the Thing" sneeking inside "Alien"
in your computer.

Watch your mail,... but don't expect to notice what you are looking
for. The trick is that multiple versions of Glieder (Bagle) are
allready found by security companies allover our Globe. The worm uses
you maillist to spread, closes down Windows Update (well,... perhaps
not the worst thing), but doing that, it seperates the user from any
help he/she could recieve from Microshoot.

The naste news is that there is bad company. Along with Glieder, you
will get infected by Win32.Mitglieder. This will close down your
firewall,... oh yes,.. and also your antivirus.

Meawhile i'll update my antivirus definition. And so should you before
you go to bed.

NonDisputandum.com wrote:
> The new Bagle variant will loot and destroy.
>
> Mark my words. This evil worm acts intelligently, like never seen
> before. Win32.Glieder (aka Bagle) attacks virusses, and than uses them
> for personal purposes. It's like "the Thing" sneeking inside "Alien"
> in your computer.
>
> Watch your mail,... but don't expect to notice what you are looking
> for. The trick is that multiple versions of Glieder (Bagle) are
> allready found by security companies allover our Globe. The worm uses
> you maillist to spread, closes down Windows Update (well,... perhaps
> not the worst thing), but doing that, it seperates the user from any
> help he/she could recieve from Microshoot.
>
> The naste news is that there is bad company. Along with Glieder, you
> will get infected by Win32.Mitglieder. This will close down your
> firewall,... oh yes,.. and also your antivirus.
>
> Meawhile i'll update my antivirus definition. And so should you before
> you go to bed.
>
>
AHHHHHHHHHHHHHHHHHHHHHHH!!!!
A TALKING MUFFIN!!!!!

| On Thu, 2 Jun 2005 14:14:53 -0500, "Tom Pepper Willett"
| <tomdpepper@mvps.org> wrote:
|
| Yes old virus, but not old news.
| This version is different.
| Is this can not be discussed here,.. than where?
|
| Perhaps I could have chosen my words differently, yes,.. it's
| exaggerated, but that does not change a thing. The techniqueof
| spreading & harming is never seen. So it's worth mentioning.
|

Yes it is. However, you haven't posted a URLs from any AV vendor libraries.

Do you have a URL from a AV vendor that is specific to this new variant ?

>From: "NonDisputandum.com" <webmaster_remove@remove_nondisputandum.com>
>
>| On Thu, 2 Jun 2005 14:14:53 -0500, "Tom Pepper Willett"
>| <tomdpepper@mvps.org> wrote:
>|
>| Yes old virus, but not old news.
>| This version is different.
>| Is this can not be discussed here,.. than where?
>|
>| Perhaps I could have chosen my words differently, yes,.. it's
>| exaggerated, but that does not change a thing. The techniqueof
>| spreading & harming is never seen. So it's worth mentioning.
>|
>
>
>Yes it is. However, you haven't posted a URLs from any AV vendor libraries.
>
>Do you have a URL from a AV vendor that is specific to this new variant ?

As long as you stick to the major antivirus players that check your
incoming files (mail & webcontent) you will rapidly get an update.
Even with a free antivirus like AVG, Avast,...
Those I trust are reviewed on my website > anti-virus pages.
Friendly greeting.Combine that with a safe browser & a firewall.

>> Yes it is. However, you haven't posted a URLs from any AV vendor libraries.
>>
>> Do you have a URL from a AV vendor that is specific to this new variant ?
|
| As long as you stick to the major antivirus players that check your
| incoming files (mail & webcontent) you will rapidly get an update.
| Even with a free antivirus like AVG, Avast,...
| Those I trust are reviewed on my website > anti-virus pages.
| Friendly greeting.Combine that with a safe browser & a firewall.
|
| --
| www.nondisputandum.com - soft reviews:
| freeware to Protect & Clean your PC
| freeware Office tools & Webbuilding aid
| + the Internet Addiction Test ;-)

>From: "NonDisputandum.com" <webmaster_remove@remove_nondisputandum.com>
>
>
>>> Yes it is. However, you haven't posted a URLs from any AV vendor libraries.
>>>
>>> Do you have a URL from a AV vendor that is specific to this new variant ?
>|
>| As long as you stick to the major antivirus players that check your
>| incoming files (mail & webcontent) you will rapidly get an update.
>| Even with a free antivirus like AVG, Avast,...
>| Those I trust are reviewed on my website > anti-virus pages.
>| Friendly greeting.Combine that with a safe browser & a firewall.
>|
>| --
>| www.nondisputandum.com - soft reviews:
>| freeware to Protect & Clean your PC
>| freeware Office tools & Webbuilding aid
>| + the Internet Addiction Test ;-)
>
>That's not what I asked nor what I desired. But thanx anyway.

No , but it is relevant imho and you will find it easily.
If you seek links, go see
http://www.nondisputandum.com/html/anti_virus.html

At the time Panda does not list Win32.Glieder yet,
neither does Stinger...
So I guess that it's a bit early indeed

|
| No , but it is relevant imho and you will find it easily.
| If you seek links, go see
| http://www.nondisputandum.com/html/anti_virus.html
|
| At the time Panda does not list Win32.Glieder yet,
| neither does Stinger...
| So I guess that it's a bit early indeed
|
| --
| www.nondisputandum.com - soft reviews:
| freeware to Protect & Clean your PC
| freeware Office tools & Webbuilding aid
| + the Internet Addiction Test ;-)

No, no, no....

You miss my point and question so I will start again ;-)

You stated...

"The new Bagle variant will loot and destroy.

Mark my words. This evil worm acts intelligently, like never seen
before. Win32.Glieder (aka Bagle) attacks virusses, and than uses them
for personal purposes. It's like "the Thing" sneeking inside "Alien"
in your computer."

OK. Now there is no standardization in the naming convention of viruses between anti virus
vendors.

For example,
Lovsan and Blaster are the same virus.
Nachi and Welchia are the same
Beagle and Bagle are the same

The list is long....

Now, it is hard to determine what variant is of the W32/Bagle vs Win32.Glieder because the
two may be the same or be different variants entirely.

So the question I had was what was the AV library writeup of the new variant that you are
indicating in this thread.

As for Stinger, it targets W32/Bagle.a@MM through W32/Bagle.bt@MM

What variant is this that is the topic of "this discusion", for exmple W32/Bagle.br was
added to McAfee DAT v4506 Today. -- http://vil.nai.com/vil/content/v_133033.htm

The last time Stinger was updated (5/2/05 - v2.5.4), the variants .bo ~ .bt were added (
W32/Bagle.bo - bt@MM )
And if the Glieder is the same as bagle then you wuill not see the Glieder added to the list
of Stinger infector targets.

<cut>
>And if the Glieder is the same as bagle then you wuill not see the Glieder added to the list
>of Stinger infector targets.

Glieder is the new name given to it to indicate that in fact the virus
is that much changed that it became "something" new.
The virulence is assumed to be of a new level.
At the time I have no idea if it is removed by antivirus soft that
also removes other Bagle versions, what is - of course - the most
important info about the issue...

Perhaps you write of a trojan horse dropped by what Symantec calls
W32.Beagle.BN@mm. This trojan horse is variously termed
Win32.Glieder.{T...V, &, AA...AF} by Computer Associates
Email-Worm.win32.Bagle.pac by Kaspersky Lab
Email-Worm.Win32.Bagle{bi...bn} by Kaspersky Lab
W32/Bagle.br by McAfee
W32/Bagle.gen@mm by McAfee,
Troj/Bagle.BH by Trend by Trend Micro

The W32/Bagle.br name intrigues me because I receive four or five messages
per day, in Portugese, and with a '.br' domain. Since I only download the
headers for such email, consider them spam, then delete them from the ISP
mail server, I haven't really given my antivirus a chance to scan the
messages. My ISP (Earthlink) uses antivirus scanning of email, but it
hasn't notified me of a virus detected in email with a '.br' domain.

So, could you expand on the information you posted, as it is unclear to me
what you are specifically reporting, and if it is a variant that is not
already detected by a broad range of antivirus programs. Should I be
concerned, or should I assume that your report information is also generally
known? I just can't tell from the information you have posted. Could you
please help?

Phil Weldon

"NonDisputandum.com" <webmaster_remove@remove_nondisputandum.com> wrote in
message news:4vr3a114vpn83q9a3nt7o91agudeag0k4m@4ax.com...
> On Fri, 3 Jun 2005 20:27:05 -0400, "David H. Lipman"
> <DLipman~nospam~@Verizon.Net> wrote:
>
> <cut>
>>And if the Glieder is the same as bagle then you wuill not see the Glieder
>>added to the list
>>of Stinger infector targets.
>
> Glieder is the new name given to it to indicate that in fact the virus
> is that much changed that it became "something" new.
> The virulence is assumed to be of a new level.
> At the time I have no idea if it is removed by antivirus soft that
> also removes other Bagle versions, what is - of course - the most
> important info about the issue...
>
>
> --
> www.nondisputandum.com - soft reviews:
> freeware to Protect & Clean your PC
> freeware Office tools & Webbuilding aid
> + the Internet Addiction Test ;-)

NonDisputandum.com

07-09-2005, 10:49 PM

<cut>
>So, could you expand on the information you posted, as it is unclear to me
>what you are specifically reporting, and if it is a variant that is not
>already detected by a broad range of antivirus programs. Should I be
>concerned, or should I assume that your report information is also generally
>known? I just can't tell from the information you have posted. Could you
>please help?
>
>Phil Weldon

june 2 by ZD Net
http://news.zdnet.com/2100-1009_22-5729426.html?tag=nl.e589
<quote> The variants, which Computer Associates International has
given a new name--Glieder--because it says they are so different from
previous Bagle worms, combine several elements in a way not seen
before. In this staged approach, viruses seed their victims, then
disarm them, and then finally exploit them. "We've seen blended
threats before where a virus uses several methods to spread, but not
like this" said Chris Thomas, a Computer Associates Australia security
architect. </quote>

So this is no ordinary Bagle variant anymore as far as I understand
it. Well, we've heard alarming stories before. I believe that this is
simply a variant on known techniques, but the combination of infective
techniqies are getting 'better' and 'better' (what's in a word) and
the combination of colaborating tools (Glieder & MitGlieder) is,
though not really new, becoming somehow worrysome. I guess that it's
another challange for virus fighters, and than they are capable of
coping wth it. On the other hand, those who do not protect will
easilier be picked out and infected. (If the information of CA is
correct)

May 31 (again ZD Net)
http://news.zdnet.com/2100-1009_22-5726802.html?tag=nl
There was written:
<quote>These recent ones (Bagle) are more of the same, said Alfred
Huger, senior director of engineering at Symantec Security Response.
"They are both, thankfully, fairly low-risk threats at this stage, in
terms of their spread. We're seeing a low number of
infections."</quote>

So I guess that if these two experts are correct, the latest
evolutions should have been somewhere between these dates?
Perhaps you have other/more adequate information?

Gee, if you had just attributed the quotes in the first place, rather than
passing them on as your own, then we all would have been better off, and
saved a lot of time. Please ATTRIBUTE! Not to do so is dishonest, and
hurts your reputation.

Phil Weldon

"NonDisputandum.com" <webmaster_remove@remove_nondisputandum.com> wrote in
message news:i1c5a11j7q4rneg2lv0qmp2pffrpj9p74g@4ax.com...
> Both Glieder and Mitglieder are known for some time,... though it's
> the combination & stages of processes that seems to worry the
> experts,.. at least Chris Thomas of Computer Associates.
>
> <quote> "We've seen blended threats before where a virus uses several
> methods to spread, but not like this" </quote>
>
> More on Glieder at CA
> http://search.ca.com/search/ca/?col=&qp=&qs=&qc=&pw=100%25&ws=0&qm=0&st=1&nh=10&lk=1&rf=0&rq=0&qt=glieder&image1.x=5&image1.y=7
>
> --
> www.nondisputandum.com - soft reviews:
> freeware to Protect & Clean your PC
> freeware Office tools & Webbuilding aid
> + the Internet Addiction Test ;-)

David H. Lipman

07-09-2005, 10:49 PM

From: "Phil Weldon" <notdiscosed@example.com>

| Gee, if you had just attributed the quotes in the first place, rather than
| passing them on as your own, then we all would have been better off, and
| saved a lot of time. Please ATTRIBUTE! Not to do so is dishonest, and
| hurts your reputation.
|
| Phil Weldon

I agree. When one makes a statement such as the original post of this thread, and posted in
multiple virus and security News Groups, the post must reference authorative sites and
reports.

'David H. Lipman' wrote
" ...When one makes a statement such as the original post of this thread,
and posted in multiple virus and security News Groups, the post must
reference authorative sites and reports."

In this particular thread the unattributed quote was especially egregious
since it was defended by the original poster as if his own words:
"Perhaps I could have chosen my words differently, yes,.." ( from a 2JUN05
post in this thread by 'Nondisputandum.com').

Phil Weldon

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:Omv9axcaFHA.616@TK2MSFTNGP12.phx.gbl...
> From: "Phil Weldon" <notdiscosed@example.com>
>
> | Gee, if you had just attributed the quotes in the first place, rather
> than
> | passing them on as your own, then we all would have been better off, and
> | saved a lot of time. Please ATTRIBUTE! Not to do so is dishonest, and
> | hurts your reputation.
> |
> | Phil Weldon
>
> I agree. When one makes a statement such as the original post of this
> thread, and posted in
> multiple virus and security News Groups, the post must reference
> authorative sites and
> reports.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

>In this particular thread the unattributed quote was especially egregious
>since it was defended by the original poster as if his own words:
>"Perhaps I could have chosen my words differently, yes,.." ( from a 2JUN05
>post in this thread by 'Nondisputandum.com').

<I could have chosen my words differently> is about the "Microshoot"
(Meaning Microshit) choice of words. Not exactly respecfull in a
newsgroups about Microsoft.

But you are right about te referrence... i should have done that.
If I gave the impression that it was me who found out about that new
Bagle version,.. i apologize. I never assume to be the guy who finds
first these kinda info and do refer whenever relevant to the original
poster.
See my blog & website
http://www.nondisputandum.com/blog.html

I have learned 3 things:

One: What I write in my blog is not always fit for a copy-paste in a
newsgroup.

Second: Quoting is a must... and even more than before, I'll respect
my resources. I accept the comments.

Third:
In stead of writing a be aware story, I should have given relevant
links & information. I''ll remember that the info is more important
than the story.

'NonDisputandum.com' wrote, in part: "Second: Quoting is a must... and even
more than before, I'll respect my resources. I accept the comments."

A model mea culpa, and very welcome.

By the way, the problem is not that you claimed to have DISCOVERED the bagel
variant (your original post did not give that impression), but as your
original post stood, it laid claim to the thoughts and words quoted.
Attribution can give greater weight to information, as well as give
recognition to the author.

Phil Weldon

"NonDisputandum.com" <webmaster_remove@remove_nondisputandum.com> wrote in
message news:m496a1dmlhrrrovf172008cresf0lq0p2r@4ax.com...
> On Sun, 05 Jun 2005 13:29:10 GMT, "Phil Weldon"
> <notdiscosed@example.com> wrote:
>
>
>>In this particular thread the unattributed quote was especially egregious
>>since it was defended by the original poster as if his own words:
>>"Perhaps I could have chosen my words differently, yes,.." ( from a 2JUN05
>>post in this thread by 'Nondisputandum.com').
>
> <I could have chosen my words differently> is about the "Microshoot"
> (Meaning Microshit) choice of words. Not exactly respecfull in a
> newsgroups about Microsoft.
>
> But you are right about te referrence... i should have done that.
> If I gave the impression that it was me who found out about that new
> Bagle version,.. i apologize. I never assume to be the guy who finds
> first these kinda info and do refer whenever relevant to the original
> poster.
> See my blog & website
> http://www.nondisputandum.com/blog.html
>
> I have learned 3 things:
>
> One: What I write in my blog is not always fit for a copy-paste in a
> newsgroup.
>
> Second: Quoting is a must... and even more than before, I'll respect
> my resources. I accept the comments.
>
> Third:
> In stead of writing a be aware story, I should have given relevant
> links & information. I''ll remember that the info is more important
> than the story.
>
> --
> www.nondisputandum.com - soft reviews:
> freeware to Protect & Clean your PC
> freeware Office tools & Webbuilding aid
> + the Internet Addiction Test ;-)

>'NonDisputandum.com' wrote, in part: "Second: Quoting is a must... and even
>more than before, I'll respect my resources. I accept the comments."
>
>A model mea culpa, and very welcome.
>
>By the way, the problem is not that you claimed to have DISCOVERED the bagel
>variant (your original post did not give that impression), but as your
>original post stood, it laid claim to the thoughts and words quoted.
>Attribution can give greater weight to information, as well as give
>recognition to the author.
>
>Phil Weldon